Security news roundup: January 20

Here's a collection of recent security vulnerabilities and alerts, which covers a new vulnerability discovered in Winamp, a security update from Citrix, a report on more rootkits vectoring in on the MBR, a new vulnerability in Skype, a remote code execution vulnerability in Microsoft Excel, and a heap overflow bug in Cisco Unified Communications Manager.

Here's a collection of recent security vulnerabilities and alerts, which covers a new vulnerability discovered in Winamp, a security update from Citrix, a report on more rootkits vectoring in on the MBR, a new vulnerability in Skype, a remote code execution vulnerability in Microsoft Excel, and a heap overflow bug in Cisco Unified Communications Manager.

Vulnerability discovered in Winamp

Two critical security holes has been discovered in the popular Winamp media player. The holes are located in the in_mp3.dll library.

The vulnerablities are caused due to boundary errors in in_mp3.dll within the construction of stream titles when parsing Ultravox streaming metadata. This can be exploited to cause stack-based buffer overflows via overly long "<artist>" and "<name>" tag values in the <metadata> section.

Versions 5.21, 5.5 and 5.51 of Winamp are confirmed as having the vulnerabilities. Other versions may also be affected though. Users are advised to update their players as soon as possible. Winamp 5.52 has been released which fixes the flaw.

Citrix issues security update

Citrix has released software updates for its server products to fix a remote code injection vulnerability. The actual fault lies with the IMA service component, which is found in many of Citrix's server products.

The IMA service is used by Citrix Presentation Server for inter-sever and management communications. Sending a specifically crafted packet could result in an internal buffer being overflowed. This could lead to execution of malicious code in the context of the IMA server process.

The vulnerable service is installed by Citrix MetaFrame and Presentation Servers up to and including 4.5, Citrix Access Essentials and the Citrix Desktop Server. Administrators should apply the update immediately.

Rootkits shifting their attention to the MBR

A new class of malware that attach to the MBR (Master Boot Record) has been uncovered by security researchers. While not new, these malware tend to be rootkits, which gets a boast in their subversion of the kernel before the operating system even loads.

About 30,000 websites, mostly located in Europe, are actively trying to install the rootkit by exploiting users who have failed to install Windows updates, Richard [Director of the rapid response team for iDefense] says. There were 5,000 infections from December 12 to January 7. The rootkit is being spread by the same group responsible for distributing the Torpig banking Trojans, which are used to steal online banking credentials.

Vulnerability discovered in Skype

A researcher has discovered a flaw in Skype that under certain circumstances, allows malicious code to be run. The problem is caused by Skype's web control, as demonstrated by security researcher Aviv Raff.

Actually taking advantage of the bug would require malware authors to find a trusted site with a cross-zone scripting error. These types of errors are relatively common, and allow for the execution of potentially unsafe scripts as if they carried higher permissions than they actually do.

The bug currently affects Skype v.3.6.0.244, though it could well be present in older versions of Skype. You can avoid exposure to potential infection simply by not running any video searches in Skype.

Remote code execution vulnerability found in Microsoft Excel

A bug in Excel has been discovered that can potentially allow a remote user to gain control of the machine. No patches are available at this point, though Microsoft has released a number of recommendations to mitigate the problem.

Users [are recommended to] run suspect Excel files through MOICE (Microsoft Office Isolated Conversion Environment), a free conversion tool released last year that converts Office 2003 format documents into the more secure Office 2007 formats to strip out possible exploit code. Alternately, it told administrators they could block all Office 2003 and earlier formats except those in “trusted locations” by using File Block, a last-ditch defense that requires editing the Windows registry or modifying Group Policy settings.

Cisco has issued a warning about a heap overflow bug in its United Communication Manager, or Call Manager. The bug could potentially allow remote attackers to execute arbitrary code. The Call Manager manages calls in Cisco's IP telephony products,.

The flaw exists within the Certificate Trust List Provider Service (CTLProvider.exe), which authenticates and distributes certificates. It normally binds to TCP port 2444 over an SSL encrypted transport. Due to a flaw in the way data is received in a loop, it can overflow its heap allocation allowing arbitrary code execution. No specific details of the flaw have been provided.

Versions of the Unified Communications Manager prior to 4.2 SR3 and 4.3 SR1, as well as Unified Call Manager prior to 4.0 and 4.1 SR5c.

Related Topics:

About Paul Mah

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

Full Bio

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.